Visual Security Event Analysis - DefCon 13 - 2005
1 like1,182 views
The document summarizes a presentation given by Raffael Marty at DefCon 13 in Las Vegas on visual security event analysis. It discusses how event graphs can be used for real-time monitoring, forensic and historical analysis by visually representing relationships between events and entities. Specific examples shown include using graphs to analyze firewall activity, network scans, port scans, load balancers, and a capture the flag exercise from DefCon 2004.
![Text or Visuals?
► What would you rather look at?
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...
Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?
Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed
Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded
Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded
Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 rmarty last message repeated 2 times
Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)
Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root
Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)
Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root
Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)
Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Raffael Marty Defcon 2005 Las Vegas 6](https://image.slidesharecdn.com/dc13-marty-120122130141-phpapp01/85/Visual-Security-Event-Analysis-DefCon-13-2005-6-320.jpg)
![Different Node Configurations
Raw Event:
[**] [1:1923:2] RPC portmap UDP proxy attempt [**]
[Classification: Decode of an RPC Query] [Priority: 2]
06/04-15:56:28.219753 192.168.10.90:32859 ->
192.168.10.255:111
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF
Len: 120
Different node configurations:
SIP Name DIP SIP DIP DPort
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
SIP SPort DPort Name SIP DIP
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
Raffael Marty Defcon 2005 Las Vegas 13](https://image.slidesharecdn.com/dc13-marty-120122130141-phpapp01/85/Visual-Security-Event-Analysis-DefCon-13-2005-13-320.jpg)
![AfterGlow – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>
● Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192..*)
● Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
● Edge color
color.edge=“blue”
Raffael Marty Defcon 2005 Las Vegas 39](https://image.slidesharecdn.com/dc13-marty-120122130141-phpapp01/85/Visual-Security-Event-Analysis-DefCon-13-2005-39-320.jpg)
![AfterGlow – color.properties - Example
color.source="olivedrab"
if ($fields[0]=~/191.141.69.4/);
color.source="olivedrab"
if ($fields[0]=~/211.254.110./);
color.source="orangered1"
color.event="slateblue4"
color.target="olivedrab"
if ($fields[2]=~/191.141.69.4/);
color.target="olivedrab"
if ($fields[2]=~/211.254.110./);
color.target="orangered1"
color.edge="firebrick"
if (($fields[0]=~/191.141.69..4/) or
($fields[2]=~/191.141.69.4/))
color.edge="cyan4"
Raffael Marty Defcon 2005 Las Vegas 40](https://image.slidesharecdn.com/dc13-marty-120122130141-phpapp01/85/Visual-Security-Event-Analysis-DefCon-13-2005-40-320.jpg)
Visual Security Event Analysis - DefCon 13 - 2005
- 1. Visual Security Event Analysis DefCon 13 Las Vegas Raffael Marty, GCIA, CISSP Senior Security Engineer @ ArcSight July 29, 2005 *
- 2. Raffael Marty ► Enterprise Security Management (ESM) specialist ► OVAL Advisory Board (Open Vulnerability and Assessment Language) ► ArcSight Research & Development ► IBM Research • Thor - http://thor.cryptojail.net • Log analysis and event correlation research • Tivoli Risk Manager Raffael Marty Defcon 2005 Las Vegas 2
- 3. Table Of Contents ► Introduction ► Related Work ► Basics ► Situational Awareness ► Forensic and Historical Analysis ► AfterGlow Raffael Marty Defcon 2005 Las Vegas 3
- 4. Introduction Raffael Marty Defcon 2005 Las Vegas 4
- 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty Defcon 2005 Las Vegas 5
- 6. Text or Visuals? ► What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty Defcon 2005 Las Vegas 6
- 7. Why Using Event Graphs? ► Visual representation of textual information (logs and events) ► Visual display of most important properties ► Reduce analysis and response times • Quickly visualize thousands of events • A picture tells more than a thousand log lines ► Situational awareness • Visualize status of business posture ► Facilitate communication • Use graphs to communicate with other teams • Graphs are easier to understand than textual events Raffael Marty Defcon 2005 Las Vegas 7
- 8. When To Use Event Graphs ► Real-time monitoring • What is happening in a specific business area (e.g., compliance monitoring) • What is happening on a specific network • What are certain servers doing • Look at specific aspects of events ► Forensics and Investigations • Selecting arbitrary set of events for investigation • Understanding big picture • Analyzing relationships Raffael Marty Defcon 2005 Las Vegas 8
- 9. Related Work Raffael Marty Defcon 2005 Las Vegas 9
- 10. Related Work ► Classics • Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administration Conference • Erbacher: “Intrusion and Misuse Detection in Large Scale Systems”, IEEE Computer Graphics and Applications • Sheng Ma, et al. “EventMiner: An integrated mining tool for Scalable Analysis of Event Data” ► Tools • Greg Conti, “Network Attack Visualization”, Defcon 2004. • NVisionIP from SIFT (Security Incident Fusion Tools), http://www.ncassr.org/projects/sift/. • Stephen P. Berry, “The Shoki Packet Hustler”, http://shoki.sourceforge.net. Raffael Marty Defcon 2005 Las Vegas 10
- 11. Basics Raffael Marty Defcon 2005 Las Vegas 11
- 12. How To Draw An Event Graph? ... | Normalization | ... Device Parser Event Analyzer / Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Event Graph Raffael Marty Defcon 2005 Las Vegas 12
- 13. Different Node Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty Defcon 2005 Las Vegas 13
- 14. AfterGlow – Peak Preview ► AfterGlow is not a SIM - there are no parsers (well, tcpdump and sendmail are there). Parser AfterGlow Grapher Graph CSV File LanguageFile color.properties: ► Demo of the tool for use at home and in the Jacuzzi. color.source="red" cat input.csv | ./afterglow.pl –c color.properties color.event="green" | neato –Tgif –o output.gif color.target="blue" Thanks to Christian @ ArcSight! Raffael Marty Defcon 2005 Las Vegas 14
- 15. Situational Awareness Raffael Marty Defcon 2005 Las Vegas 15
- 16. Real-time Monitoring With A Dashboard Raffael Marty Defcon 2005 Las Vegas 16
- 17. Forensic and Historical Analysis Raffael Marty Defcon 2005 Las Vegas 17
- 18. A 3D Example ► An LGL example: Raffael Marty Defcon 2005 Las Vegas 18
- 19. Monitoring Web Servers assetCategory(DestIP)= WebServer Raffael Marty Defcon 2005 Las Vegas 19
- 20. Network Scan Raffael Marty Defcon 2005 Las Vegas 20
- 21. Suspicious Activity? Raffael Marty Defcon 2005 Las Vegas 21
- 22. Port Scan ► Port scan or something else? Raffael Marty Defcon 2005 Las Vegas 22
- 23. Firewall Activity External Machine Internal Machine Rule# Next Steps: Outgoing Incoming 1. Visualize “FW Blocks” of outgoing traffic -> Why do internal machines trigger blocks? 2. Visualize “FW Blocks” of incoming traffic -> Who and what tries to enter my network? 3. Visualize “FW Passes” of outgoing traffic -> What is leaving the network? SIP Rule# DIP Raffael Marty Defcon 2005 Las Vegas 23
- 24. Firewall Rule-set Analysis pass block Raffael Marty Defcon 2005 Las Vegas 24
- 25. Load Balancer Raffael Marty Defcon 2005 Las Vegas 25
- 26. Worms Raffael Marty Defcon 2005 Las Vegas 26
- 27. DefCon 2004 Capture The Flag DstPort < 1024 DstPort > 1024 Source Of Evil Internal Target Other Team's Target Internal Source Internet Target Exposed Services Our Servers SIP DIP DPort Raffael Marty Defcon 2005 Las Vegas 27
- 28. DefCon 2004 Capture The Flag – TTL Games TTL Source Of Evil Internal Target Internal Source SIP DIP TTL Raffael Marty Defcon 2005 Las Vegas 28
- 29. DefCon 2004 Capture The Flag – The Solution DPort Flags TTL Show Node Counts Only show SYNs Raffael Marty Defcon 2005 Las Vegas 29
- 30. Email Cliques From: My Domain From: Other Domain To: My Domain To: Other Domain From To Raffael Marty Defcon 2005 Las Vegas 30
- 31. Email Relays Grey out “my domain” invisible My Domain Make emails to From: From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From To Raffael Marty Defcon 2005 Las Vegas 31
- 32. Email SPAM? Size > 10.000 Omit threshold = 1 To Size Multiple recipients with same-size messages Raffael Marty Defcon 2005 Las Vegas 32
- 33. Email SPAM? nrcpt => 2 Omit threshold = 1 From nrcpt Raffael Marty Defcon 2005 Las Vegas 33
- 34. BIG Emails Size > 100.000 Omit Threshold = 2 Documents leaving the network? From To Size Raffael Marty Defcon 2005 Las Vegas 34
- 35. Email Server Problems? 2:00 < Delay < 10:00 Delay > 10:00 To To Delay Raffael Marty Defcon 2005 Las Vegas 35
- 36. AfterGlow afterglow.sourceforge.net Raffael Marty Defcon 2005 Las Vegas 36
- 37. AfterGlow ► http://afterglow.sourceforge.net ► Supported graphing tools: • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/ • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty Defcon 2005 Las Vegas 37
- 38. AfterGlow – Command Line Parameters ● Some command line parameters: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -c configfile : color configuration file Raffael Marty Defcon 2005 Las Vegas 38
- 39. AfterGlow – color.properties color.[source|event|target|edge]= <perl expression returning a color name> ● Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*) ● Special color “invisible”: color.target=“invisible” if ($fields[0] eq “IIS Action”) ● Edge color color.edge=“blue” Raffael Marty Defcon 2005 Las Vegas 39
- 40. AfterGlow – color.properties - Example color.source="olivedrab" if ($fields[0]=~/191.141.69.4/); color.source="olivedrab" if ($fields[0]=~/211.254.110./); color.source="orangered1" color.event="slateblue4" color.target="olivedrab" if ($fields[2]=~/191.141.69.4/); color.target="olivedrab" if ($fields[2]=~/211.254.110./); color.target="orangered1" color.edge="firebrick" if (($fields[0]=~/191.141.69..4/) or ($fields[2]=~/191.141.69.4/)) color.edge="cyan4" Raffael Marty Defcon 2005 Las Vegas 40
- 41. THANKS! raffy@cryptojail.net Raffael Marty Defcon 2005 Las Vegas 41